How to verify peer dependency resolution correctness when migrating pnpm 7 → 10?

[faizanongit]

I am migrating a large Rush.js + pnpm monorepo from pnpm 7 to pnpm 10 and want to validate that peer dependency resolutions are correct after migration. Looking for guidance on what checks to perform and whether our approach has known pitfalls.

Scale

• ~500 Rush projects (workspace packages)
• ~7,000 unique package@version combinations in the lockfile
• ~8,000 total entries in the v5.4 lockfile (including peer dependency variants)
• ~7,500 snapshot entries in the v9.0 lockfile
• ~1,500 packages declare peerDependencies

Migration approach

I followed a stepwise migration path: 7 → 8 → 9 → 10, running rush install at each major version boundary to let the lockfile format upgrade naturally (5.4 → 6.x → 7.x → 9.0).

To preserve pnpm 7 resolution behavior as closely as possible, i set these .npmrc options:

# Restore pnpm 7 behavior: share one copy when the package version is the same,
# preventing duplicate instances of singleton packages (e.g. React) at runtime
# in webpack-bundled apps.
dedupe-peer-dependents=false

# Explicitly disable auto-installing peer dependencies (pnpm 7 default).
auto-install-peers=false

# pnpm 10 changed virtual-store-dir-max-length default from 120 to 60.
# Keep at 120 to preserve .pnpm directory names that match webpack loader patterns.
virtual-store-dir-max-length=120

What I've verified so far

• Package set: identical. All ~7,000 package@version combos match exactly.
• Critical singleton packages (framework, state mgmt, design system, i18n): same version sets. No new duplicates introduced.
• ~450 fewer snapshot entries in v9 — expected from dedupe-peer-dependents=false collapsing variants.
• ~300 optional peer deps omitted from v9 snapshots that v5 eagerly resolved (mostly build tools, bundlers, compilers, type defs).
• Zero real version changes in resolved dependencies.

My actual question
Despite all this, I know lockfile diffing can only tell me so much. Is there a way — beyond manual testing of every app to detect if pnpm 10's peer resolution would cause runtime issues compared to pnpm 7?

Specifically:

1. Is there a pnpm command or tool that can report what peers each package actually sees at runtime (i.e., what's in its node_modules after install), so I can diff that between pnpm 7 and 10?
2. The ~450 collapsed snapshot variants and ~300 removed optional peers, is there a way to verify these are genuinely safe and not masking a case where a package would get a different peer at runtime?
3. With dedupe-peer-dependents=false, are there known scenarios where two consumers with different peer requirements share a copy and one gets the wrong version silently (no build error, just wrong behavior at runtime)?
4. Is pnpm why or pnpm list --depth reliable for comparing peer resolution trees between pnpm 7 and 10, or do those commands only reflect declared deps and not actual runtime resolution?

I can do manual testing of each app, but with ~500 projects I'd rather have a systematic approach. Any guidance appreciated.

Thanks!